@rizom/brain 0.2.0-alpha.0 → 0.2.0-alpha.10

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rizom/brain",
-  "version": "0.2.0-alpha.0",
+  "version": "0.2.0-alpha.10",
   "description": "Brain runtime + CLI — scaffold, run, and manage AI brain instances",
   "type": "module",
   "bin": {
@@ -22,7 +22,8 @@
     }
   },
   "files": [
-    "dist"
+    "dist",
+    "templates"
   ],
   "scripts": {
     "build": "bun scripts/build.ts",

package/templates/deploy/Caddyfile

@@ -0,0 +1,67 @@
+# Internal Caddy — path-based routing to brain services.
+# kamal-proxy terminates TLS externally; this runs inside the container.
+:80 {
+	@preview host preview.*
+	handle @preview {
+		reverse_proxy localhost:4321
+
+		header {
+			X-Frame-Options "SAMEORIGIN"
+			X-Content-Type-Options "nosniff"
+			Referrer-Policy "strict-origin-when-cross-origin"
+		}
+	}
+
+	# Health endpoint
+	handle /health {
+		reverse_proxy localhost:3333
+	}
+
+	# MCP endpoint
+	handle /mcp* {
+		reverse_proxy localhost:3333
+
+		header {
+			X-Content-Type-Options "nosniff"
+			Access-Control-Allow-Origin "*"
+			Access-Control-Allow-Methods "GET, POST, DELETE, OPTIONS"
+			Access-Control-Allow-Headers "Content-Type, Authorization, MCP-Session-Id"
+		}
+	}
+
+	# A2A endpoints
+	handle /.well-known/agent-card.json {
+		reverse_proxy localhost:3334
+	}
+
+	handle /a2a {
+		reverse_proxy localhost:3334
+
+		header {
+			X-Content-Type-Options "nosniff"
+			Access-Control-Allow-Origin "*"
+			Access-Control-Allow-Methods "GET, POST, OPTIONS"
+			Access-Control-Allow-Headers "Content-Type, Authorization"
+		}
+	}
+
+	# Plugin API routes
+	handle /api/* {
+		reverse_proxy localhost:3335
+	}
+
+	# Production site: prefer the webserver when present; otherwise fall back
+	# to the A2A interface so core-only deployments never return a bare 502.
+	handle {
+		reverse_proxy localhost:8080 localhost:3334 {
+			lb_policy first
+			lb_retries 1
+		}
+
+		header {
+			X-Frame-Options "SAMEORIGIN"
+			X-Content-Type-Options "nosniff"
+			Referrer-Policy "strict-origin-when-cross-origin"
+		}
+	}
+}

package/templates/deploy/Dockerfile

@@ -0,0 +1,38 @@
+ARG BUN_VERSION=1.3.10
+FROM oven/bun:${BUN_VERSION}-slim AS runtime
+
+WORKDIR /app
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    curl ca-certificates git gnupg debian-keyring debian-archive-keyring apt-transport-https \
+    && curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg \
+    && curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list \
+    && apt-get update && apt-get install -y --no-install-recommends caddy libcap2-bin \
+    && setcap cap_net_bind_service=+ep $(which caddy) \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY deploy/Caddyfile /etc/caddy/Caddyfile
+
+RUN mkdir -p /srv/fallback && \
+    printf '<!doctype html><html><head><meta charset="utf-8"><title>brain</title></head><body></body></html>\n' \
+    > /srv/fallback/index.html
+
+ENV XDG_DATA_HOME=/data
+ENV XDG_CONFIG_HOME=/config
+RUN mkdir -p /app/data /app/cache /app/brain-data && \
+    chmod -R 777 /app/data /app/cache /app/brain-data
+
+CMD ["sh", "-c", "caddy start --config /etc/caddy/Caddyfile && exec ./node_modules/.bin/brain start"]
+
+# --- standalone: bake full project into image (brain-cli deploy) ---
+FROM runtime AS standalone
+COPY package.json ./package.json
+RUN bun install --production --ignore-scripts
+COPY . .
+
+# --- fleet: install published brain at pinned version (ops deploy) ---
+FROM runtime AS fleet
+ARG BRAIN_VERSION
+RUN test -n "$BRAIN_VERSION" \
+ && printf '{"name":"rover-pilot-runtime","private":true}\n' > package.json \
+ && bun add @rizom/brain@$BRAIN_VERSION

package/templates/deploy/kamal-deploy.yml

@@ -0,0 +1,40 @@
+service: __SERVICE_NAME__
+image: <%= ENV['IMAGE_REPOSITORY'] %>
+
+servers:
+  web:
+    hosts:
+      - <%= ENV['SERVER_IP'] %>
+
+proxy:
+  ssl:
+    certificate_pem: CERTIFICATE_PEM
+    private_key_pem: PRIVATE_KEY_PEM
+  hosts:
+    - <%= ENV['BRAIN_DOMAIN'] %>
+    - preview.<%= ENV['BRAIN_DOMAIN'] %>
+  app_port: 80
+  healthcheck:
+    path: /health
+
+registry:
+  server: ghcr.io
+  username: <%= ENV['REGISTRY_USERNAME'] %>
+  password:
+    - KAMAL_REGISTRY_PASSWORD
+
+builder:
+  arch: amd64
+
+env:
+  clear:
+    NODE_ENV: production
+  secret:
+    - AI_API_KEY
+    - GIT_SYNC_TOKEN
+    - MCP_AUTH_TOKEN
+    - DISCORD_BOT_TOKEN
+
+volumes:
+  - /opt/brain-data:/app/brain-data
+  - /opt/brain.yaml:/app/brain.yaml

package/templates/deploy/scripts/provision-server.ts

@@ -0,0 +1,109 @@
+import {
+  readJsonResponse,
+  requireEnv,
+  writeGitHubOutput,
+  writeGitHubEnv,
+} from "./helpers";
+
+const token = requireEnv("HCLOUD_TOKEN");
+const instanceName = requireEnv("INSTANCE_NAME");
+const sshKeyName = requireEnv("HCLOUD_SSH_KEY_NAME");
+const serverType = requireEnv("HCLOUD_SERVER_TYPE");
+const location = requireEnv("HCLOUD_LOCATION");
+
+const headers: Record<string, string> = {
+  Authorization: `Bearer ${token}`,
+  "Content-Type": "application/json",
+};
+const baseUrl = "https://api.hetzner.cloud/v1";
+const labelSelector = `brain=${instanceName}`;
+const MAX_POLLS = 30;
+const POLL_INTERVAL_MS = 10_000;
+
+interface HetznerServer {
+  id: number;
+  status: string;
+  public_net?: { ipv4?: { ip?: string } };
+}
+
+function sleep(ms: number): Promise<void> {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+async function listServers(): Promise<HetznerServer[]> {
+  const url = `${baseUrl}/servers?label_selector=${encodeURIComponent(labelSelector)}`;
+  const response = await fetch(url, { headers });
+  const payload = (await readJsonResponse(
+    response,
+    "Hetzner server lookup",
+  )) as {
+    servers?: HetznerServer[];
+  };
+  if (!response.ok || !payload.servers) {
+    throw new Error(`Hetzner server lookup failed: ${JSON.stringify(payload)}`);
+  }
+  return payload.servers;
+}
+
+async function createServer(): Promise<HetznerServer> {
+  const response = await fetch(`${baseUrl}/servers`, {
+    method: "POST",
+    headers,
+    body: JSON.stringify({
+      name: instanceName,
+      server_type: serverType,
+      image: "ubuntu-22.04",
+      location,
+      ssh_keys: [sshKeyName],
+      labels: { brain: instanceName },
+    }),
+  });
+  const payload = (await readJsonResponse(
+    response,
+    "Hetzner server create",
+  )) as {
+    server?: HetznerServer;
+  };
+  if (!response.ok || !payload.server) {
+    throw new Error(`Hetzner server create failed: ${JSON.stringify(payload)}`);
+  }
+  return payload.server;
+}
+
+async function getServer(id: number): Promise<HetznerServer> {
+  const response = await fetch(`${baseUrl}/servers/${id}`, { headers });
+  const payload = (await readJsonResponse(response, "Hetzner server poll")) as {
+    server?: HetznerServer;
+  };
+  if (!response.ok || !payload.server) {
+    throw new Error(`Hetzner server poll failed: ${JSON.stringify(payload)}`);
+  }
+  return payload.server;
+}
+
+let server: HetznerServer | undefined = (await listServers())[0];
+server ??= await createServer();
+
+let polls = 0;
+while (server.status !== "running" || !server.public_net?.ipv4?.ip) {
+  if (++polls > MAX_POLLS) {
+    throw new Error(
+      `Server ${server.id} did not become ready after ${(MAX_POLLS * POLL_INTERVAL_MS) / 1000}s (status: ${server.status})`,
+    );
+  }
+  if (server.status === "error") {
+    throw new Error(`Server ${server.id} entered error state`);
+  }
+  console.log(
+    `Waiting for server ${server.id} (status: ${server.status}, poll ${polls}/${MAX_POLLS})...`,
+  );
+  await sleep(POLL_INTERVAL_MS);
+  server = await getServer(server.id);
+}
+
+const serverIp = server.public_net?.ipv4?.ip;
+if (!serverIp) {
+  throw new Error(`Server ${server.id} running but has no IPv4 address`);
+}
+writeGitHubOutput("server_ip", serverIp);
+writeGitHubEnv("SERVER_IP", serverIp);

package/templates/deploy/scripts/update-dns.ts

@@ -0,0 +1,55 @@
+import { readJsonResponse, requireEnv } from "./helpers";
+
+const token = requireEnv("CF_API_TOKEN");
+const zoneId = requireEnv("CF_ZONE_ID");
+const domain = requireEnv("BRAIN_DOMAIN");
+const serverIp = requireEnv("SERVER_IP");
+
+const headers: Record<string, string> = {
+  Authorization: `Bearer ${token}`,
+  "Content-Type": "application/json",
+};
+const baseUrl = "https://api.cloudflare.com/client/v4";
+
+interface CloudflareResult {
+  success: boolean;
+  result?: Array<{ id: string }>;
+}
+
+async function upsertRecord(name: string): Promise<void> {
+  const lookupUrl = `${baseUrl}/zones/${zoneId}/dns_records?type=A&name=${encodeURIComponent(name)}`;
+  const lookup = await fetch(lookupUrl, { headers });
+  const payload = (await readJsonResponse(
+    lookup,
+    "Cloudflare DNS lookup",
+  )) as CloudflareResult;
+  if (!lookup.ok || !payload.success) {
+    throw new Error(`Cloudflare DNS lookup failed: ${JSON.stringify(payload)}`);
+  }
+
+  const existing = payload.result?.[0];
+  const url = existing
+    ? `${baseUrl}/zones/${zoneId}/dns_records/${existing.id}`
+    : `${baseUrl}/zones/${zoneId}/dns_records`;
+
+  const response = await fetch(url, {
+    method: existing ? "PUT" : "POST",
+    headers,
+    body: JSON.stringify({
+      type: "A",
+      name,
+      content: serverIp,
+      ttl: 1,
+      proxied: true,
+    }),
+  });
+  const result = (await readJsonResponse(
+    response,
+    "Cloudflare DNS upsert",
+  )) as CloudflareResult;
+  if (!response.ok || !result.success) {
+    throw new Error(`Cloudflare DNS upsert failed: ${JSON.stringify(result)}`);
+  }
+}
+
+await upsertRecord(domain);

package/templates/deploy/scripts/write-ssh-key.ts

@@ -0,0 +1,17 @@
+import { mkdirSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+import { requireEnv } from "./helpers";
+
+const privateKey = requireEnv("KAMAL_SSH_PRIVATE_KEY");
+
+let normalized = privateKey.replace(/\r\n/g, "\n").replace(/\\n/g, "\n");
+if (!normalized.endsWith("\n")) {
+  normalized += "\n";
+}
+
+const sshDir = join(process.env["HOME"] ?? "/root", ".ssh");
+mkdirSync(sshDir, { recursive: true });
+writeFileSync(join(sshDir, "id_ed25519"), normalized, {
+  encoding: "utf8",
+  mode: 0o600,
+});